Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
References
| Link | Resource |
|---|---|
| https://support.fidelissecurity.com/hc/en-us/categories/360001842694-Advisories-News-and-Policies | Permissions Required Vendor Advisory |
| https://www.securifera.com/blog/2021/06/24/operation-eagle-eye/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
14 Sep 2021, 18:46
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://www.securifera.com/blog/2021/06/24/operation-eagle-eye/ - Exploit, Third Party Advisory |
07 Sep 2021, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
01 Jul 2021, 19:24
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:fidelissecurity:network:*:*:*:*:*:*:*:* cpe:2.3:a:fidelissecurity:deception:*:*:*:*:*:*:*:* cpe:2.3:a:fidelissecurity:network:9.4:*:*:*:*:*:*:* cpe:2.3:a:fidelissecurity:deception:9.4:*:*:*:*:*:*:* |
|
| References | (CONFIRM) https://support.fidelissecurity.com/hc/en-us/categories/360001842694-Advisories-News-and-Policies - Permissions Required, Vendor Advisory | |
| CWE | CWE-89 | |
| CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
25 Jun 2021, 12:28
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2021-06-25 12:15
Updated : 2024-02-04 21:47
NVD link : CVE-2021-35048
Mitre link : CVE-2021-35048
CVE.ORG link : CVE-2021-35048
JSON object : View
Products Affected
fidelissecurity
- deception
- network
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')